WordPress has released emergency security updates to address two critical vulnerabilities in its core software that can be chained together to allow unauthenticated remote code execution on default installations. The flaws, collectively dubbed wp2shell, have since been assigned CVE-2026-63030 and CVE-2026-60137.
The disclosure has taken on added urgency following the publication of a working proof-of-concept exploit and technical analyses explaining how the two vulnerabilities can be combined to achieve remote code execution. While there are no confirmed reports of active exploitation at the time of writing, security researchers warn that public availability of exploit code significantly increases the likelihood of opportunistic attacks against unpatched websites.
Powering an estimated 40% of websites on the internet, WordPress remains the world’s most widely deployed content management system. As a result, vulnerabilities affecting WordPress core can expose millions of websites, making rapid patching essential for organizations operating public-facing services.
Two flaws combine into remote code execution
The attack chain consists of two separate vulnerabilities discovered independently by security researchers. CVE-2026-63030 affects the WordPress REST API batch endpoint, while CVE-2026-60137 is a SQL injection vulnerability within WordPress core.
Individually, each flaw presents security risks. When combined, however, an attacker can send a specially crafted anonymous request that bypasses intended protections, reaches the vulnerable SQL query, and ultimately executes arbitrary code on the server without authentication.
According to Searchlight Cyber, whose researchers identified the REST API vulnerability, the attack works against a default WordPress installation and does not require vulnerable plugins, themes, or valid user credentials.
Affected versions
The vulnerabilities affect different WordPress release branches:
- WordPress 6.8.0 through 6.8.5: Affected by the SQL injection vulnerability only. Fixed in version 6.8.6.
- WordPress 6.9.0 through 6.9.4: Vulnerable to the complete remote code execution chain. Fixed in version 6.9.5.
- WordPress 7.0.0 through 7.0.1: Vulnerable to the complete remote code execution chain. Fixed in version 7.0.2.
- WordPress 7.1 Beta 2: Includes fixes for both vulnerabilities.
WordPress has also enabled forced security updates for supported installations that have automatic updates enabled. Administrators should still verify that their websites have successfully updated rather than assuming the patches were automatically applied.
Public exploit raises the risk
Although Searchlight Cyber initially withheld technical exploitation details following responsible disclosure, researchers quickly reverse engineered the publicly available patches. A full explanation of the attack chain has since been published, and a working proof-of-concept exploit is now available on GitHub.
Rapid7 noted that the absence of confirmed in-the-wild exploitation should not be interpreted as low risk, particularly given the unauthenticated nature of the attack and WordPress’s widespread deployment. The company also warned that because WordPress is open source, researchers and threat actors alike can rapidly analyze patches to develop working exploits after updates are released.
Cloudflare has also published managed WAF protections for the vulnerability chain, noting that the remote code execution path requires a site to operate without a persistent object cache. However, this does not mitigate the underlying SQL injection vulnerability, and organizations should not rely on caching as a substitute for installing the official security updates.
Patch immediately
Organizations running affected WordPress installations should prioritize upgrading to the latest patched release as soon as possible. Where immediate patching is not feasible, administrators should consider restricting access to the REST API batch endpoint and ensure web application firewall protections are enabled where available.
Rapid7 said authenticated detection checks for affected systems will be added to Exposure Command, InsightVM, and Nexpose in its July 20 content release. At the time of publication, the vulnerabilities have not been added to CISA’s Known Exploited Vulnerabilities catalog, and no confirmed active exploitation has been publicly reported.












